Front-end input validations do work when using a web browser.
The concern, however, is when the user manages to by-pass the front-end, in which the back-end is missing validations.
I observe that some POST methods, as well as the database insertion functions in model.py
do not employ input validation. Additionally, the database schema itself does not contain certain data-integrity checks (e.g. illegal characters and numerical constraints in number of MCs).
All these needs to be implemented eventually to guard against data-contamination in the database.
Here's something for reference for implementing regex check:
https://www.postgresql.org/docs/8.3/static/functions-matching.html